Analysis
-
max time kernel
150s -
max time network
82s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14-10-2024 15:52
Behavioral task
behavioral1
Sample
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe
Resource
win7-20241010-en
General
-
Target
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe
-
Size
507KB
-
MD5
536324c02bf4d7cdde41fb4340308a00
-
SHA1
2dfc4ed8b2e164716c7e10e91f49ac93b3787f50
-
SHA256
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633f
-
SHA512
88fc0cef9ecd31d544df5d8ed11ce20001659edba3c8232600a5d6dbfda0c198e8d0ffcd6efcd8267ed67646cc0a4b719c7005c3ce6fa49faec41cd9f9205e47
-
SSDEEP
12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKo9:3MUv2LAv9AQ1p4dK0
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2944 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
tenon.exekopuc.exepid process 2144 tenon.exe 1100 kopuc.exe -
Loads dropped DLL 2 IoCs
Processes:
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exetenon.exepid process 2792 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe 2144 tenon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exetenon.execmd.exekopuc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tenon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kopuc.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
kopuc.exepid process 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe 1100 kopuc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exetenon.exedescription pid process target process PID 2792 wrote to memory of 2144 2792 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe tenon.exe PID 2792 wrote to memory of 2144 2792 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe tenon.exe PID 2792 wrote to memory of 2144 2792 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe tenon.exe PID 2792 wrote to memory of 2144 2792 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe tenon.exe PID 2792 wrote to memory of 2944 2792 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe cmd.exe PID 2792 wrote to memory of 2944 2792 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe cmd.exe PID 2792 wrote to memory of 2944 2792 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe cmd.exe PID 2792 wrote to memory of 2944 2792 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe cmd.exe PID 2144 wrote to memory of 1100 2144 tenon.exe kopuc.exe PID 2144 wrote to memory of 1100 2144 tenon.exe kopuc.exe PID 2144 wrote to memory of 1100 2144 tenon.exe kopuc.exe PID 2144 wrote to memory of 1100 2144 tenon.exe kopuc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe"C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\tenon.exe"C:\Users\Admin\AppData\Local\Temp\tenon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\kopuc.exe"C:\Users\Admin\AppData\Local\Temp\kopuc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1100
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5d940b8bc54d0ba3abac442d2f7d1fcdb
SHA147e0d5e4566da280d4b36363b8a4b51c0a8a83e4
SHA256df9f78b31a8c9eef7ce3d9c65855649386885b783073431425b13b39f6f84555
SHA5124bc26b9765e24a16ae61d0cdfd4231c156202d40f8b774ab8d6aefd8e01136655e1c8547c3de082ec3f1457f0596ecca2aef9ef79fb097ad5c4b50cf1f946335
-
Filesize
512B
MD5f5a2ae1158ba093458ab508a06a68f13
SHA168f4f1e8f13d56a34553619dc12e346f4c9cb426
SHA25680e11d758a8ddb0975489b6b2a2146220226be13ca96fb432c607fc8f58b58cf
SHA51222e08b9977334796bc3fc89285dfa5ef35d053944f153c5db06104ff095ce3650bc8c2cebf1400438fa116ce96070a96f8244951f6af335596eae4526bcee5ab
-
Filesize
172KB
MD548dcecc11cf8d90543c7cada995af499
SHA14558227db1866a1257c6af19d69ed74c9bf6deec
SHA2567aaf1e15f23fa21aa02d15f418608b62d7f652cb522bf2427928b07eb6787923
SHA512991c1a8add28bca4e993568140c013aa142e153e98998ea69dc0f5eb44539c9e08a33584a19c103c59e5e532c57a70f05f06980aa12da34445045d7f54dc32ec
-
Filesize
507KB
MD592bdbe9fe5c9c357dcd3a27ad4d15c5b
SHA1846c098065b2a9f8f5966d3e3a6b720e99c01a77
SHA2565311ccad453085276a05869bf1cf546e35235e9b3610230608d33539f380a471
SHA512753d6ded65c8986d713082462ffd308025dc5395d94f68e7b3ab5bde2231e9b041a4eb678961c11e0eff54d93db23134cc5bbfa5a426f9abe54ba89de45dba92